fix JWKS KID selection

Author: guFalcon

pom.xml

@@ -10,7 +10,7 @@
 
 	<modelVersion>4.0.0</modelVersion>
 	<artifactId>oauth-token-manager</artifactId>
-	<version>1.0.10</version>
+	<version>1.0.11</version>
 	<name>OauthTokenManager</name>
 	<packaging>jar</packaging>
 

src/main/java/info/unterrainer/oauthtokenmanager/OauthTokenManager.java

@@ -12,6 +12,8 @@
 import java.security.PublicKey;
 import java.security.spec.RSAPublicKeySpec;
 import java.util.Base64;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 import org.keycloak.TokenVerifier;
 import org.keycloak.common.VerificationException;
@@ -32,91 +34,131 @@ public class OauthTokenManager {
 	private final String host;
 	private final String realm;
 
-	private String authUrl;
-	private PublicKey publicKey = null;
+	private String jwksUrl;
+	private final Map<String, PublicKey> publicKeysByKid = new ConcurrentHashMap<>();
+	private volatile long lastFetchTimestamp = 0L;
 
-	public void initPublicKey() {
-		String correctedHost = host;
-		String correctedRealm = realm;
+	private static final long REFRESH_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6 hours cache-validity
 
-		if (publicKey != null)
-			return;
-		if (!correctedHost.endsWith("/"))
-			correctedHost += "/";
-		if (!correctedRealm.startsWith("/"))
-			correctedRealm = "/" + correctedRealm;
+	public synchronized void initPublicKeys() {
+		String correctedHost = host.endsWith("/") ? host : host + "/";
+		String correctedRealm = realm.startsWith("/") ? realm.substring(1) : realm;
+		jwksUrl = correctedHost + "realms/" + correctedRealm + "/protocol/openid-connect/certs";
 
-		authUrl = correctedHost + "realms" + correctedRealm + "/protocol/openid-connect/certs";
 		try {
-			log.info("Getting public key from: [{}]", authUrl);
-			publicKey = fetchPublicKey(authUrl);
+			log.info("Fetching JWKS from [{}]", jwksUrl);
+			ObjectMapper om = new ObjectMapper();
+			HttpClient client = HttpClient.newHttpClient();
+			HttpRequest req = HttpRequest.newBuilder().uri(URI.create(jwksUrl)).GET().build();
+			HttpResponse<String> res = client.send(req, HttpResponse.BodyHandlers.ofString());
+			if (res.statusCode() >= 300)
+				throw new IOException("Failed to fetch JWKS: HTTP " + res.statusCode());
+
+			JsonNode jwks = om.readTree(res.body());
+			Map<String, PublicKey> newMap = new ConcurrentHashMap<>();
+
+			for (JsonNode key : jwks.withArray("keys")) {
+				if (!key.has("kid") || !key.has("n") || !key.has("e"))
+					continue;
+				String kid = key.get("kid").asText();
+				String n = key.get("n").asText();
+				String e = key.get("e").asText();
+
+				BigInteger modulus = new BigInteger(1, Base64.getUrlDecoder().decode(n));
+				BigInteger exponent = new BigInteger(1, Base64.getUrlDecoder().decode(e));
+
+				RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus, exponent);
+				PublicKey pk = KeyFactory.getInstance("RSA").generatePublic(spec);
+				newMap.put(kid, pk);
+			}
+
+			publicKeysByKid.clear();
+			publicKeysByKid.putAll(newMap);
+			lastFetchTimestamp = System.currentTimeMillis();
+
+			log.info("Loaded {} JWKS keys from {} (kids={})", newMap.size(), jwksUrl, newMap.keySet());
 		} catch (Exception e) {
-			log.error("There was an error fetching the PublicKey from the openIdConnect-server [{}].", authUrl);
-			throw new IllegalStateException(e);
+			log.error("Failed to fetch JWKS keys from [{}]", jwksUrl, e);
+			throw new IllegalStateException("Could not load JWKS from " + jwksUrl, e);
 		}
 	}
 
-	private PublicKey fetchPublicKey(String jwksUrl) throws Exception {
-		ObjectMapper objectMapper = new ObjectMapper();
-		HttpClient client = HttpClient.newHttpClient();
-		HttpRequest request = HttpRequest.newBuilder().uri(URI.create(jwksUrl)).GET().build();
-
-		HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
-
-		if (response.statusCode() >= 300) {
-			throw new IOException("Failed to fetch JWKS: HTTP " + response.statusCode());
+	public String extractKidFromJwt(String jwt) {
+		try {
+			String[] parts = jwt.split("\\.");
+			if (parts.length < 2)
+				return null;
+			String headerJson = new String(Base64.getUrlDecoder().decode(parts[0]), StandardCharsets.UTF_8);
+			JsonNode node = new ObjectMapper().readTree(headerJson);
+			return node.has("kid") ? node.get("kid").asText() : null;
+		} catch (Exception e) {
+			return null;
 		}
+	}
 
-		JsonNode jwks = objectMapper.readTree(response.body());
-		// Just take the first key for now.
-		JsonNode key = jwks.get("keys").get(0);
-
-		String modulusBase64 = key.get("n").asText();
-		String exponentBase64 = key.get("e").asText();
-
-		byte[] modulusBytes = Base64.getUrlDecoder().decode(modulusBase64);
-		byte[] exponentBytes = Base64.getUrlDecoder().decode(exponentBase64);
-
-		BigInteger modulus = new BigInteger(1, modulusBytes);
-		BigInteger exponent = new BigInteger(1, exponentBytes);
-
-		RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus, exponent);
-		KeyFactory factory = KeyFactory.getInstance("RSA");
-		return factory.generatePublic(spec);
+	public PublicKey getKeyForKid(String kid) {
+		if (publicKeysByKid.isEmpty() || System.currentTimeMillis() - lastFetchTimestamp > REFRESH_INTERVAL_MS)
+			initPublicKeys();
+
+		PublicKey pk = publicKeysByKid.get(kid);
+		if (pk == null) {
+			log.warn("No cached key for kid='{}'. Refreshing JWKS...", kid);
+			initPublicKeys();
+			pk = publicKeysByKid.get(kid);
+			if (pk == null) {
+				log.error("JWKS refresh did not contain kid='{}'. Possible misconfiguration or key rotation issue.",
+						kid);
+				throw new UnauthorizedException("Unknown key ID: " + kid);
+			}
+		}
+		return pk;
 	}
 
-	/**
-	 * Checks the access token and verifies its signature. If the token is valid,
-	 * returns a tenantId.
-	 *
-	 * @param accessToken
-	 * @return tenantId or null if the token is invalid or not present.
-	 */
 	public String checkAccess(String accessToken) {
 		try {
 			TokenVerifier<AccessToken> tokenVerifier = persistUserInfoInContext(accessToken);
 			if (tokenVerifier == null)
-				throw new UnauthorizedException();
+				throw new UnauthorizedException("Token could not be parsed.");
 
-			initPublicKey();
-			tokenVerifier.publicKey(publicKey);
-			try {
-				tokenVerifier.verifySignature();
-			} catch (VerificationException e) {
-				throw new UnauthorizedException(
-						"Error verifying token from user with publicKey obtained from keycloak.", e);
-			}
+			String rawJwt = accessToken.startsWith("Bearer ") ? accessToken.substring(7) : accessToken;
+			String kid = extractKidFromJwt(rawJwt);
+			if (kid == null)
+				throw new UnauthorizedException("Token has no 'kid' header.");
+
+			PublicKey pk = getKeyForKid(kid);
 
 			try {
+				tokenVerifier.publicKey(pk);
+				tokenVerifier.verifySignature();
 				tokenVerifier.verify();
-				AccessToken token = tokenVerifier.getToken();
-				return (String) token.getOtherClaims().get("tenants_read");
 			} catch (VerificationException e) {
-				throw new ForbiddenException();
+				// Retry once after forced JWKS refresh
+				log.warn("Signature verification failed for kid='{}'. Retrying after JWKS refresh.", kid);
+				initPublicKeys();
+				PublicKey refreshedPk = publicKeysByKid.get(kid);
+				if (refreshedPk == null) {
+					log.error("Token verification failed after refresh. kid='{}' unknown.", kid);
+					throw new UnauthorizedException("Invalid token signature. kid=" + kid, e);
+				}
+				try {
+					tokenVerifier.publicKey(refreshedPk);
+					tokenVerifier.verifySignature();
+					tokenVerifier.verify();
+				} catch (VerificationException e2) {
+					throw new UnauthorizedException("Token signature invalid after refresh (kid=" + kid + ")", e2);
+				}
 			}
+
+			AccessToken token = tokenVerifier.getToken();
+			return (String) token.getOtherClaims().get("tenants_read");
+
+		} catch (VerificationException e) {
+			throw new UnauthorizedException("Token verification failed.", e);
+		} catch (UnauthorizedException | ForbiddenException e) {
+			throw e;
 		} catch (Exception e) {
 			log.error("Error checking token.", e);
-			throw e;
+			throw new UnauthorizedException("Error verifying token: " + e.getMessage(), e);
 		}
 	}
 
@@ -129,20 +171,12 @@ private TokenVerifier<AccessToken> persistUserInfoInContext(String authorization
 
 		try {
 			TokenVerifier<AccessToken> tokenVerifier = TokenVerifier.create(authorizationHeader, AccessToken.class);
-			RemoteOauthToken remoteAccessToken = RemoteOauthToken.builder()
-					.accessToken(tokenVerifier.getToken())
-					.build();
-			if (!remoteAccessToken.getAccessToken().isActive()) {
-				log.warn("Token is inactive.");
+			AccessToken token = tokenVerifier.getToken();
+			if (token == null || !token.isActive()) {
+				log.warn("Token is inactive or null.");
 				return null;
 			}
-			// Disabled to enable getting token from side-channels like 'localhost'.
-			/*
-			 * if (!remoteAccessToken.getIssuer().equalsIgnoreCase(authUrl)) {
-			 * log.warn("Token has wrong real-url."); return null; }
-			 */
 			return tokenVerifier;
-
 		} catch (VerificationException e) {
 			log.warn("Token was checked and deemed invalid.", e);
 			return null;
@@ -156,37 +190,29 @@ public LocalOauthTokens getTokensFromCredentials(String clientId, String usernam
 	public LocalOauthTokens getTokensFromCredentials(String clientId, String clientSecret, String username,
 			String password) {
 		try {
-			String tokenEndpoint = host;
-			if (!tokenEndpoint.endsWith("/"))
-				tokenEndpoint += "/";
+			String tokenEndpoint = host.endsWith("/") ? host : host + "/";
 			tokenEndpoint += "realms/" + realm + "/protocol/openid-connect/token";
 
 			String form = "grant_type=password" + "&client_id=" + URLEncoder.encode(clientId, StandardCharsets.UTF_8)
 					+ "&username=" + URLEncoder.encode(username, StandardCharsets.UTF_8) + "&password="
 					+ URLEncoder.encode(password, StandardCharsets.UTF_8);
-			if (clientSecret != null) {
+			if (clientSecret != null)
 				form += "&client_secret=" + URLEncoder.encode(clientSecret, StandardCharsets.UTF_8);
-			}
 
-			HttpRequest request = HttpRequest.newBuilder()
+			HttpRequest req = HttpRequest.newBuilder()
 					.uri(URI.create(tokenEndpoint))
 					.header("Content-Type", "application/x-www-form-urlencoded")
 					.POST(HttpRequest.BodyPublishers.ofString(form))
 					.build();
 
 			HttpClient client = HttpClient.newHttpClient();
-			HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
-
-			if (response.statusCode() >= 300) {
-				throw new IOException("Token request failed: HTTP " + response.statusCode() + " - " + response.body());
-			}
+			HttpResponse<String> res = client.send(req, HttpResponse.BodyHandlers.ofString());
+			if (res.statusCode() >= 300)
+				throw new IOException("Token request failed: HTTP " + res.statusCode() + " - " + res.body());
 
 			ObjectMapper mapper = new ObjectMapper();
-			JsonNode json = mapper.readTree(response.body());
+			JsonNode json = mapper.readTree(res.body());
 			log.info("Token received successfully.");
-			log.debug("Access token: {}", json.get("access_token").asText());
-			log.debug("Refresh token: {}", json.get("refresh_token").asText());
-
 			return LocalOauthTokens.builder()
 					.accessToken(json.get("access_token").asText())
 					.refreshToken(json.get("refresh_token").asText())
@@ -197,5 +223,4 @@ public LocalOauthTokens getTokensFromCredentials(String clientId, String clientS
 			throw new IllegalStateException("Unable to get token", e);
 		}
 	}
-
 }